U.S. Serial Number 09/734,810 Atty. Docket # AUS9-2000-0808-US1 

Benantar 

Method and system for managing a distributed trust path locator for public key certificates 
relating to the trust path of an X.509 attribute certificate 



in 



100 




PERSONAL 
DIGITAL ASSISTANT 



WIRELESS 
PHONE 



PERSONAL 
DIGITAL ASSISTANT 



FIG. 1A 

(PRIOR ART) 



120 



\ 



124 



122 




CPU 



RAM 



ROM 



I/O ADAPTER 



COMMUNICATION 
ADAPTER 



144 



146 



DISPLAY 
ADAPTER 



DISPLAY 



USER INTERFACE 
ADAPTER 



148 



fj~^ 142 
MOUSE 



140 



KEYBOARD 



136 

COMMUNICATION ^ 



LINK 



FIG. IB 

(PRIOR ART) 



U.S. Serial Number 09/734,810 Atty, Docket # AUS9-2000-0808-US1 

Benantar 

Method and system for managing a distributed trust path locator for public key certificates 
relating to the trust path of an X.509 attribute certificate 

2/7 



USER 
PUBLIC KEY 
204 




REQUEST FOR CERTIFICATE 


208 




USER 






PUBLIC KEY 






204 













FIG. 2 

(PRIOR ART) 



X.509 CERTIFICATE 


216 




USER PUBLIC KEY 






(SIGNED) 






218 













CERTIFYING 


AUTHORITY 


210 




CA 






PUBLIC KEY 






212 














CA 






PRIVATE KEY 






214 














X.509 CERTIFICATE 
304 



Serial Number xxxxx 
Issuer Name xxxxx 



Subject Name /C=US/0=IBM/OU=DEVT/CN==JSMlTH 
Signature xxxxx 




310 



HOST SYSTEM 
308 



SYSTEM 
REGISTRY 



SUBJECT 



JSMITH 



SECURITY GROUP 



xxxxxx 



INTERNET/INTRANET 
APPLICATION 
306 



FIG. 3 A 

(PRIOR ART) 



U.S. Serial Number 09/734,810 Atty. Docket # AUS9-2000-0808-US1 

Benantar 

Method and system for managing a distributed trust path locator for public key certificates 
relating to the trust path of an X.509 attribute certificate 



352 




ATTRIBUTE 
CERTIFICATE 
(AC) 
354 




FIG. 3B 

(PRIOR ART) 



364 



HOLDER'S X.509 PUBLIC 
KEY CERTIFICATE (PKC) 
356 



AC'S ISSUING 
AUTHORITY'S X.509 PKC 
358 



V 



HOST SYSTEM 
362 



SYSTEM 
REGISTRY 



SUBJECT 



JSMITH 



SECURITY GROUP 



XXXXXX 



INTERNET/INTRANET 
APPLICATION 
360 



J 




ATTRIBUTE 
CERTIFICATE 
404 



U.S. Serial Number 09/734,810 Atty. Docket # AUS9-2000-0808-US1 

Benantar 

Method and system for managing a distributed trust path locator for public key certificates 
relating to the trust path of an X.509 attribute certificate 

4/7 



Certificate ::= SEQUENCE 
tbsCertif icate 
signatureAlgorithm 
signature 



TBSCert if icate, 
Algorithmldentif ier , 
BIT STRING } 



TBSCertif icate = SEQUENCE 
version [0] 
serialNumber 
signature 
issuer 
validity- 
subject 

subj ectPublicKeylnf o 
issuerUniquelD [1] 
subj ectUniquelD [2] 
extensions [3] 



{ 

Version DEFAULT vl, 

Certif icateSerialNumber , 

Algor i thml dent i f i er , 

Name , 

Validity, 

Name, 

Subj ectPublicKey Info, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version 



INTEGER { vl(0), v2(l), v3 (2) } 



Certif icateSerialNumber 



INTEGER 



Validity = SEQUENCE { 
notBef ore 
notAf ter 

Time : := CHOICE { 
utcTime 
generalTime 



Time, 
Time } 



UTCTime, 

General izedTime } 



Uniqueldentif ier : := BIT STRING 



Subj ectPublicKeylnf o : 
algorithm 
subj ectPublicKey 



: = SEQUENCE { 

Algorithmldentif ier , 
BIT STRING } 



Extensions 



:= SEQUENCE SIZE (1..MAX) OF Extension 



Extension = SEQUENCE { 
extnID 
critical 
extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 
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AttributeCertif icate :: = SEQUENCE { 

acinfo AttributeCertif icatelnfo, 

signatureAlgorithm Algorithmldentif ier, 
signatureValue BIT STRING 



} 



AttributeCertif icatelnfo 
version 
holder 
issuer 
signature 
serialNumber 
attrCertValidityPeriod 
attributes 
issuerUniquelD 
extensions 

} 



SEQUENCE { 
AttCert Version DEFAULT vl , 
Holder, 

AttCert Issuer, 
Algorithmldentif ier , 
Cert if icateSerialNumber, 
AttCertValidityPeriod, 
SEQUENCE OF Attribute, 
Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL 



AttCertVersion ::= INTEGER { vl{0), v2 (1) } 



Holder = SEQUENCE { 

baseCertif icatelD 



entityName 

obj ectDigestlnf o 



[0] IssuerSerial OPTIONAL, 

-- the issuer and serial number of 

»- the holder's Public Key Certificate 

[1] GeneralNames OPTIONAL, 

-- the name of the claimant or role 

[2] Obj ectDigestlnf o OPTIONAL 

-- if present, version must be v2 



Obj ectDigest Info 



SEQUENCE { 



digestedObjectType ENUMERATED { 



publicKey 
publ icKeyCert 
otherOb j ectTypes 



otherOb j ectTypelD 
digestAlgorithm 
obj ectDigest 



(0) , 

(1) , 

(2) }, 

otherOb j ectTypes MUST NOT 
--be used in this profile 
OBJECT IDENTIFIER OPTIONAL, 
Algorithmldentif ier , 
BIT STRING 
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AttCertlssuer ::= CHOICE { 

vlForm GeneralNames, —v1orv2 
v2Form [0] V2Form v2 only 

} 

V2Form ::= SEQUENCE { 

issuerName GeneralNames OPTIONAL, 

baseCertificatelD [0] IssuerSerial OPTIONAL, 
objectDigestlnfo [1] ObjectDigestlnfo OPTIONAL 

~ at least one of issuerName, baseCertificatelD 

-- or objectDigestlnfo MUST be present} 

IssuerSerial ::= SEQUENCE { 

issuer GeneralNames, 

serial CertificateSeriaIN umber, 

issuerUID Uniqueldentifier OPTIONAL 

} 

AttCertValidityPeriod ::= SEQUENCE { 

notBeforeTime GeneralizedTime, 
notAfterTime GeneralizedTime 

} 

Attribute ::= SEQUENCE { 

type AttributeType, 
values SET OF AttributeValue 
at least one value is required 

} 

AttributeType ::= OBJECT IDENTIFIER 
AttributeValue ::= ANY DEFINED BY AttributeType 

FIG. 5C 
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PKCIocator ::= SEQUENCE { 

holderPKCIocator [0] GeneralNames OPTIONAL, 
authorityPKClocator [1] GeneralNames OPTIONAL 

} 

wherein GeneralNames is defined by IETF RFC2459 as 



GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 



GeneralName ::= CHOICE { 






otherName 


[0] 


OtherName; 


rfc822Name 


[1] 


lASString, 


dNSName 


[2] 


lASString, 


x400Address 


[3] 


ORAddress, 


directoryName 


[4] 


Name, 


ediPartyName 


[5] 


EDIPartyName, 


uniformResourceldentifier 


[6] 


lASString, 


iP Address 


[7] 


OCTET STRING, 


registeredID 


m 


OBJECT IDENTIFIER 



FIG. 6 



U.S. Serial Number 09/734,810 Atty. Docket # AUS9-2000-0808-US1 

Benantar 

Method and system for managing a distributed trust path locator for public key certificates 
relating to the trust path of an X.509 attribute certificate 

7/7 



BEGIN 



USER AT CLIENT SENDS ATTRIBUTE CERTIFICATE (AC) TO SERVER 
SUPPORTING TARGET SERVICE 
702 



TARGET SERVICE EXTRACTS DISTRIBUTED TRUST PATH LOCATOR (DTPL) 
FROM ATTRIBUTE CERTIFICATE 
704 



TARGET SERVICE EXTRACTS LOCATOR FOR USER'S PKC FROM 
DISTRIBUTED TRUST PATH LOCATOR 
706 



TARGET SERVICE EXTRACTS LOCATOR FOR AC-ISSUING AUTHORITY'S PKC 

FROM DTPL 
708 



TARGET SERVICE RETRIEVES USER'S PKC FROM SPECIFIED LOCATION 

710 



TARGET SERVICE RETRIEVES AC-ISSUING AUTHORITY'S PKC 
FROM SPECIFIED LOCATION 
712 



TARGET SERVICE VERIFIES ATTRIBUTE CERTIFICATE USING THE RETRIEVED PKCs 

714 



TARGET SERVICE ALLOWS USER/CLIENT ACCESS TO CONTROLLED RESOURCES IN 
ACCORDANCE WITH ATTRIBUTES IN USER'S ATTRIBUTE CERTIFICATE 

716 



Q END ^ 
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